P
US11985239B2ActiveUtilityPatentIndex 60

Forward secrecy in transport layer security (TLS) using ephemeral keys

Assignee: IBMPriority: Nov 11, 2019Filed: Oct 15, 2021Granted: May 14, 2024
Est. expiryNov 11, 2039(~13.4 yrs left)· nominal 20-yr term from priority
Inventors:GRAY MICHAEL WMADINENI NARAYANA ADITYAGREEN MATTHEWMCMAHON SIMON DMCLEAN LEIGH SMCKENZIE STEPHEN JBURGESS LUVITAWALTENBERG PETER T
H04L 9/3073H04L 9/0891H04L 9/302H04L 9/3265H04L 63/166H04L 9/0825H04L 9/14H04L 9/0861H04L 9/3247H04L 63/0823H04L 63/062H04L 63/0428
60
PatentIndex Score
0
Cited by
25
References
18
Claims

Abstract

Transport Layer Security (TLS) connection establishment between a client and a server for a new session is enabled using an ephemeral (temporary) key pair. In response to a request, the server generates a temporary certificate by signing an ephemeral public key using the server's private key. A certificate chain comprising at least the temporary certificate that includes the ephemeral public key, together with a server certificate, is output to the client by the server, which acts as a subordinate Certificate Authority. The client validates the certificates, generates a session key and outputs the session key wrapped by the ephemeral public key. To complete the connection establishment, the server applies the ephemeral private key to recover the session key derived at the client for the new session. The client and server thereafter use the session key to encrypt and decrypt data over the link. The ephemeral key pair is not reused.

Claims

exact text as granted — not AI-modified
Having described the subject matter, what we claim is as follows: 
     
       1. A method of preventing compromise of a set of derived session keys for a Transport Layer Security (TLS)-based link between a client and a server, the server having a public key pair comprising a server public key, and an associated server private key, comprising:
 at the client:
 issuing to the server a request to establish a new session; 
 receiving from the server a certificate chain, the certificate chain comprising a server certificate comprising the server public key, together with a temporary certificate that includes an ephemeral public key of a server ephemeral key pair, the server ephemeral key pair having an associated ephemeral private key, the temporary certificate having been generated by the server signing the ephemeral public key with the server private key; 
 validating at least the temporary certificate; 
 responsive to validating the temporary certificate, deriving a session key for the new session; 
 applying the ephemeral public key of the server to the derived session key to generate a message; and 
 outputting the message to the server, the derived session key being recoverable by the server applying the ephemeral private key of the server to the message to complete establishment of the new session; 
 
 wherein compromise of a key associated with establishment of the new session does not compromise one or more other derived session keys of the set. 
 
     
     
       2. The method as described in  claim 1  wherein the public key pair and the ephemeral key pair are Rivest-Shamir-Adelman (RSA) key pairs. 
     
     
       3. The method as described in  claim 1  wherein the ephemeral public key of the server is applied to the derived session key in lieu of the server public key. 
     
     
       4. The method as described in  claim 1  further including validating the server certificate. 
     
     
       5. The method as described in  claim 1  wherein, following establishment of the new session, applying the derived session key to application data. 
     
     
       6. The method as described in  claim 1  wherein the ephemeral public key is not re-used following closing of the new session. 
     
     
       7. An apparatus configured as a client, comprising:
 a processor; 
 computer memory holding computer program instructions executed by the processor, the computer program instructions comprising program code configured to prevent compromise of a set of derived session keys for a Transport Layer Security (TLS)-based link between the client and a server, the server having a public key pair comprising a server public key, and an associated server private key, the program code configured to:
 issue to the server a request to establish a new session; 
 receive from the server a certificate chain, the certificate chain comprising a server certificate comprising the server public key, together with a temporary certificate that includes an ephemeral public key of a server ephemeral key pair, the server ephemeral key pair having an associated ephemeral private key, the temporary certificate having been generated by the server signing the ephemeral public key with the server private key; 
 validate at least the temporary certificate; 
 responsive to validating the temporary certificate, derive a session key for the new session; 
 apply the ephemeral public key of the server to the derived session key to generate a message; and 
 output the message to the server, the derived session key being recoverable by the server applying the ephemeral private key of the server to the message to complete establishment of the new session; 
 
 wherein compromise of a key associated with establishment of the new session does not compromise one or more other derived session keys of the set. 
 
     
     
       8. The apparatus as described in  claim 7  wherein the public key pair and the ephemeral key pair are Rivest-Shamir-Adelman (RSA) key pairs. 
     
     
       9. The apparatus as described in  claim 7  wherein the ephemeral public key of the server is applied to the derived session key in lieu of the server public key. 
     
     
       10. The apparatus as described in  claim 7  wherein the program code is also configured to validate the server certificate. 
     
     
       11. The apparatus as described in  claim 7  wherein the program code is further configured following establishment of the new session to apply the derived session key to application data. 
     
     
       12. The apparatus as described in  claim 7  wherein the ephemeral public key is not re-used following closing of the new session. 
     
     
       13. A computer program product in a non-transitory computer readable medium for use in a data processing system, the computer program product holding computer program instructions executed by the data processing system to prevent compromise of a set of derived session keys for a Transport Layer Security (TLS)-based link between a client and a server, the server having a public key pair comprising a server public key, and an associated server private key, the computer program instructions comprising program code configured at the client to:
 issue to the server a request to establish a new session; 
 receive from the server a certificate chain, the certificate chain comprising a server certificate comprising the server public key, together with a temporary certificate that includes an ephemeral public key of a server ephemeral key pair, the server ephemeral key pair having an associated ephemeral private key, the temporary certificate having been generated by the server signing the ephemeral public key with the server private key; 
 validate at least the temporary certificate; 
 responsive to validating the temporary certificate, derive a session key for the new session; 
 apply the ephemeral public key of the server to the derived session key to generate a message; and 
 output the message to the server, the derived session key being recoverable by the server applying the ephemeral private key of the server to the message to complete establishment of the new session; 
 wherein compromise of a key associated with establishment of the new session does not compromise one or more other derived session keys of the set. 
 
     
     
       14. The computer program product as described in  claim 13  wherein the public key pair and the ephemeral key pair are Rivest-Shamir-Adelman (RSA) key pairs. 
     
     
       15. The computer program product as described in  claim 13  wherein the ephemeral public key of the server is applied to the derived session key in lieu of the server public key. 
     
     
       16. The computer program product as described in  claim 13  wherein the program code is also configured to validate the server certificate. 
     
     
       17. The computer program product as described in  claim 13  wherein the program code is further configured following establishment of the new session to apply the derived session key to application data. 
     
     
       18. The computer program product as described in  claim 13  wherein the ephemeral public key is not re-used following closing of the new session.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.